Control Flow Guard (CFG) (on by default) is a mitigation that prevents redirecting control flow to an unexpected

Data Execution Prevention (DEP) (on by default) is a security feature that was introduced in Vista and later platforms. The feature helps to prevent damage to your computer from viruses and other security threats. DEP protects your computer by monitoring programs to make sure they use system memory safely. When DEP senses malware, it might trigger a blue screen of death to protect the operating system.

Force Randomization for Images (Mandatory ASLR) (off by default) is a technique to evade attackers by randomizing where the position of processes will be in memory. Address space layout randomization (ASLR) places address space targets in unpredictable locations. If an attacker attempts to launch an exploit, the target application will crash (blue screen), therefore stopping the attack.

Randomize Memory Allocations (Bottom-up ASLR) (on by default) enables bottom-up allocations (VirtualAlloc() VirtualAllocEx()) to be randomized. Attacks that use bypassed ASLR and DEP on Adobe Reader are prevented with this setting.

Validate Exception Chains (SEHOP) (on by default) prevents an attacker from using the Structured Exception Handler (SEH) overwrite exploitation technique. Since first being published in September 2003, this attack has often been in many hackers’ arsenal.

You can set both system settings and program settings and then export them in an XML file to then deploy them to other computers via PowerShell.

Attack Surface Reduction

Attack Surface Reduction is a new set of tools that block primarily Office, Java, and other zero-day-type attacks. With the addition of a Windows E5 license and Windows Advanced Threat Protection, you will receive a cloud-based alerting system when these rules are triggered. However, it’s not mandatory to have the E5 license to manage and defend systems. This is one of the three Windows Defender Exploit Guard features that will not work with third-party antivirus deployed. You must use Windows Defender to enable this protection.

Now you need to determine what you plan on blocking. It is recommended to begin in audit mode to evaluate the impact on your network and devices. The values you can set to enable Attack Surface Reduction are:

Block mode = 1

Disabled = 0

Audit mode = 2

Once you have determined that the protection will not impact productivity, you can set the value to Block Mode to fully enable the protections. Enter each rule on a new line as a name-value pair with a GUID code and then the value of 1 to enforce blocking, 0 to disable the rule, or 2 to set the rule to audit. When beginning to evaluate rules, set the value to 2 and monitor the results in the event log.

Name column: Enter a valid ASR rule ID or GUID

Value column: Enter the status ID that relates to state you want to specify for the associated rule

The following rules can be enabled to better protect your computer and your network.

Malware often uses macro code Office files to import and load Win32 DLLs, which then use API calls to further infect the system.

Network Protection

Network Protection is designed to protect your computer and your network from domains that may host phishing scams, exploits, and other malicious content on the internet. It can be enabled either via PowerShell or Group Policy. In the Group Policy Management Editor go to Computer Configuration, then Policies, then Administrative Templates. Expand the tree to Windows components > Windows Defender Antivirus > Windows Defender Exploit Guard > Network Protection. Double-click the Prevent Users and Apps from Accessing Dangerous Websites setting and set the option to Enabled.

Once enabled you can test the feature by going to this website. The site should be blocked and you should see a notification indicating the site’s threat status in the system tray. The system now relies on Microsoft SmartScreen technology to block web sites. If a false positive is found, you must submit a request to whitelist a website using Microsoft’s submission page.

This is one of the three Windows Defender Exploit Guard features that will not work with third-party antivirus deployed. You must use Windows Defender to enable this protection.

Controlled Folder Access

Controlled Folder Access protection is designed to prevent and defend from typical ransomware attacks. It can be enabled using Windows Defender Security Center app via Group Policy, PowerShell or configuration service providers for mobile device management. All applications that access any executable file (including .exe, .scr, and .dll files) use the Windows Defender Antivirus interface to determine if the application is safe. If the application is malicious, it is blocked from making changes to files in protected folders.

You can then manually add folders as you see fit. If you have an application that is blocked by Controlled Folder Access, you can allow an application. To allow an override, go into Group Policy Management Editor and then go to Computer Configuration. Click on Policies and then Administrative Templates. Expand the tree to Windows components > Windows Defender Antivirus > Windows Defender Exploit Guard > Controlled Folder Access. Double-click the Configure Allowed Applications setting and set the option to Enabled. Click Show and enter each app. To allow an application via PowerShell, enter Add-MpPreference -ControlledFolderAccessAllowedApplications "<the app that should be allowed, including the path>". You will want to test the settings before widespread deployment to note what adjustments you need to make for full application compatibility.

This is the final one of the three Windows Defender Exploit Guard features that will not work with third-party antivirus deployed. You must use Windows Defender to enable this protection.

Windows Security Baselines

Windows Security Baseline configurations have been updated to support Windows 10 1709. Security baselines are a set of recommended configurations to best secure systems in enterprises. Organizations can use the Security Compliance Toolkit to review recommended group policy settings. Microsoft certifies that they test updates against these configurations.

Windows Defender Advanced Threat Protection (ATP)

Windows Defender ATP is a cloud-based console that allows for forensic tracking of threats and attacks. It is enabled once you purchase a Windows E5 or Microsoft Office 365 E5 subscription. Once you purchase the subscription, you can enroll workstations via group policy or registry keys, which then upload telemetry to a cloud service. The service monitors for lateral attacks, ransomware, and other typical attacks. Release 1709 increases the analytics and security stack integration for better reports and integration.

On February 12, Microsoft announced that it is offering Windows Defender ATP down-level support for Windows 7 SP1 and Windows 8.1. In a blog post, the company said it is offering the service in recognition that many companies have a mix of Windows versions in place as they transition to Windows 10.

Windows Defender Application Guard

Application Guard ensures that enterprises can control Microsoft’s new Edge browser to best block and defend workstations from attacks. Application Guard must be deployed on 64-bit machines, and the machines must have Extended Page Tables, also called Second Level Address Translation (SLAT), as well as either Intel VT-x extensions or AMD-V. Windows 10 Enterprise version is also mandated.

Application guard can be controlled via group policy, Intune, or System Center. Application Guard can be deployed via features or PowerShell using Enable-WindowsOptionalFeature -online -FeatureName Windows-Defender-ApplicationGuard. Once enabled, you can limit websites to block outside content in Internet Explorer and Edge, limit printing, the use of clipboard, and isolate the browser to only use local network resources.

Windows Defender Device Guard

Device Guard is a new name for software restriction policies. Unless an application is trusted, it cannot be run on the system. Rather than the current model of software that we use now, where we trust software by default, Device Guard assumes all software is suspect and only allows software you trust to run on your system. Like Application guard, the requirements include virtualization technology.

Windows Information Protection (WIP)

WIP now works with Office and Azure Information Protection. WIP used to be called Enterprise Data Protection. Setting a WIP policy ensures that files downloaded from an Azure location will be encrypted. You can set a listing of apps that are allowed to access this protected data.

BitLocker

The minimum PIN length for BitLocker was changed in version 1709 from six to four, with six as the default.

Windows Hello

Microsoft’s facial authentication system has been improved in version 1709 to use proximity settings to allow multifactor authentication in more sensitive deployments.

Windows Update for Business

The group policy settings that allow you to better control updating in Windows 10 now include the ability to control the use of Insider Edition on systems in your network. This allows you to enroll business systems in Microsoft’s beta testing process. Organizations may wish to opt into this program to better test and prepare for feature releases.

Security features prior to version 1709

Security changes and enhancements introduced in previous editions include the following:

Windows Defender Advanced Threat Protection

Windows 10 1703 introduced the ability to use the threat intelligence API to build custom alerts. Improvements were made in operating system memory and kernel sensors to better detect attacks deep into the operating system. It also allowed for six months of historical detection to better review for patterns. Antivirus detection and Device Guard events were placed in the Threat Protection portal. Windows 10 1607 originally introduced the online cloud forensic tool to the Windows 10 platform for the first time.

Windows Defender Antivirus

This was renamed from Windows Defender in Version 1703 and was integrated into the Windows Defender Security Center Application. In addition, updated behavior monitoring and real-time protection was enhanced. In Windows 10 1607, PowerShell cmdlets were introduced to configure options and run scans.

Windows Defender Credential Guard

Usernames and passwords are stolen on a regular basis to gain access into systems. An attacker gains access into one compromised system and then using attacks such as “Pass the hash” or “Pass the ticket” can harvest credentials saved in systems to perform lateral movement attacks across a network. Credential guard protects NTLM password hashes, Kerberos Ticket Granting Tickets, and credentials stored by applications as domain credentials from attackers. However, be aware that single sign-on applications may not work if credential guard is enabled.